Hot Topics:

Credit card security is evolving but not fast enough

By Julio Ojeda-Zapata, Pioneer Press

Posted:
02/05/2014 09:43:03 AM PST

Sen. Mark Warner, D-Va., chairman of the Senate Banking Subcommittee on National Security and International Trade and Finance, displays his personal bank card as he leads a hearing on the recent incidents of mass credit card fraud in Washington. (J. Scott Applewhite/AP Photo)

As any U.S. traveler who has ordered steak tartare on the Champs Elysee in Paris knows, paying with a credit card abroad is often very different than it is here.

Instead of handing off a card to a waiter, who vanishes with it, the Parisian waiter brings a tech gadget to the table. The diner sticks the card in a slot, taps in a numerical code and claims one of the two receipts the machine spits out. The server gets the other.

This slot-and-code mambo is how consumers pay for retail purchases and so on all around the globe — but not in the United States. The U.S. is a laggard, with old-hat swiping of 1980s-era magnetic stripe technology and signature scrawling.

That is about to change, big time.

(Pioneer Press)

Merchants in this country are scrambling to deploy so-called “chip-and-PIN” payment technology — spurred in part by recent massive data-security breaches at Target stores and other retailers that have compromised consumer financial information.

Not everyone believes this is the answer to this problem, however.

That chip-and-PIN moniker came up repeatedly Tuesday during a U.S. Senate Judiciary Committee hearing about those breaches.

Senators, including Minnesota's Al Franken and Amy Klobuchar, grilled witnesses who included a Target executive. The Target breach from Nov. 27 to Dec. 18 compromised the credit-card information of an estimated 40 million customers.

Advertisement

Target, which had already committed to deploying chip-and-PIN technology, said Tuesday that it has moved up installation of new card-processing hardware, to be completed by late this year. Customers should get compatible cards by the first half of 2015, Target's chief financial officer, John Mulligan, told the Senate committee.

Chip-and-PIN is expected to be widespread, if not ubiquitous, in the U.S. by 2015.

The “chip” part of the moniker refers to a computer chip embedded in the card and containing a card user's personal information. The chip replaces the magnetic stripe.

The “PIN” part refers to the personal identification number used to consummate transactions via this next-generation payment system.

Chip-and-PIN technology is not new. In fact, variations of it have been around for decades.

The best-known version of this technology, EMV, has been around since early this decade. EMV is short for Europay, MasterCard and Visa, in a reference to the organizations that champion it.

EMV is more secure, according to its proponents, because that embedded chip is more difficult to compromise or replicate than information stored on magnetic stripes. That PIN adds another layer of security, since a person stealing a card does not know the PIN code associated with it.

Thus the mass production of counterfeit cards containing stolen numbers becomes several orders of magnitude more difficult, said Mike Keresman, chief executive of CardinalCommerce Corp.

“You don't eliminate fraud, but you make it so bloody expensive that it's not worth it,” Keresman said.

But EMV has critics who argue the already aging system is not the technology required to render financial systems impervious to attack.

The technology, though more secure than the version being used in the United States, is vastly less secure than modern payment-processing technologies that retailers and others should be considering, said Ryan Carlson, who is the technology evangelist at the Nerdery in Minneapolis, and has a decade of familiarity with payment-processing systems.

“EMV is a straw man,” Carlson said. “Adding EMV is only building a false sense of confidence for end users.”

As Carlson and others have noted, the Target security breach largely occurred at a server level within Target, which means EMV in all likelihood would have made little difference.

Since EVM “is nothing new,” Carlson added, “criminals have had the last decade” to scrutinize its vulnerabilities.

Then there's the cost, he said.

Deploying EMV in any country is a gargantuan undertaking with a stratospheric price tag, which is one of the reasons U.S. companies have been slow to put it in place. Deployments elsewhere in the world have been bumpy, with many delays, Carlson noted.

For this reason, he doubts EMV will be ubiquitous by 2015 as has been promised. ”I predict the soonest we would have any level of compliance is 2020,” he said.

And that mainly means large firms with the deep pockets required to undertake such a daunting migration. Many small companies won't be able to afford it, which in itself represents a security risk since criminals would turn their attention to such insecure mom-and-pop enterprises, Carlson noted.

“By forcing everyone to invest in such an old technology, we are crippling ourselves into making an investment” in the wrong technology, he believes.

So if not EMV, then what? That is yet another problem, he said.

“There are dozens of secure payment methods, but no clear winner,” Carlson added. “But when the dust settles and we actually have a better, more secure and convenient way of paying, EMV equipment will be gathering dust in a corner.”

EMV proponents and critics tend to agree on one thing: The technology has no bearing on online or “card not present” purchases such as on Amazon.com — so alternate security technologies are required in that arena.